AWS VPC Security Best Practices

In today`s article, we’ll discuss different measures for AWS VPC security best practices. Security is different layers of protection in order not to get hacked. 

I want to begin with routing, because if you can’t reach something and you don’t have access to it, it’s going to be near impossible to attack. So, if we begin with routing and limit who has access to the systems, it will become much harder for others to attack it.

• Virtualized Local Area Networks (VLANs): -Virtualization of switches whereby one logically separates a switch into different parts. Each logically separated VLAN will be placed in a separate subnet. Routing information will be provided to the subnets that need cloud access.  This will limit cloud access to only those people and their systems to reach the subnets necessary to perform their roles.  See, if you can’t reach a subnet then you can’t hack it, so this is first-line security.  This type of network security can significantly increase an organization’s security posture and no cost.

• FIREWALL: This is a device or software that builds a strongly secure perimeter around the edge of the network, it blocks all incoming traffic by default, and allows specific traffic that is permitted by using a firewall policy. And there are some phenomenal commercial firewalls that you can use with your VPC; Cisco, Palo Alto, Fortinet, etc. But these are very strong firewalls, they not only block traffic out, but they’re adaptive. This means they can look at the traffic that doesn’t make sense and generate rules on-demand to block things that they find to be dangerous. So, commercial firewalls, are a great option.

In firewalls, you can create a policy to allow in only what needs to come in; TCP port 179 for BGP routing, and whatever ports are necessary for your systems, whether they be HTTPS or SSH or whatever’s necessary for the organization. The firewall is stateful, which means once it allows inbound traffic, the corresponding outbound traffic is allowed.

AWS also has a proprietary firewall is called Web Application Firewall (WAF) which is a placed on the Content Delivery Network (CDN), Amazon API gateway, a rest API, or even an application load balancer. In AWS, WAF is configured alongside CloudWatch to monitor the traffic metrics. One can set up alerts and create a rule to notify systems administrators.

• NETWORK ACCESS CONTROL LISTS: This is a virtual router function that blocks traffic in and out of the subnets. It is stateless, that is both the inbound and outbound traffic must be stated. More so, the virtual device is stateless because it does not watch the way the traffic is coming, it’s only creating some packet inspection rules that allow or deny. All network ACLs have a default policy, which is to deny all traffic. As a result, when building policies, one must specify the source and the destination address (allowed before the deny policy). There can be some wildcards in there as well, the protocol and the port number.

• SECURITY GROUP: This is a virtual firewall that keeps traffic out of the Instance (Virtual machine), or service it is stateful: that is once it allows inbound traffic, the corresponding outbound traffic is allowed.

• HOST-BASED FIREWALL: This is an additional layer of protection on the operating system that may not have been caught by network security. These firewalls can protect the system, at least for a period, or maybe completely thwart the attack.

• ANTI-MALWARE PROTECTION: All servers should have anti-malware protection for protection of worms and viruses.

• AWS SHIELD: This is Distributed Denial of Service (DDoS) protection, it minimizes application downtime and latency. And there are two versions. There’s the standard version, which is free to organizations that are using WAF, and there’s the Shield Advance, and this provides protection to a lot of things. EC2 instances, load balancers, CloudFront distributions, Route 53, and global accelerators.

• INTRUSION PREVENTION /INTRUSION DETECTION SYSTEM IPS/IDS: is a device or software application that monitors a network or systems for malicious activity or policy violations. They can look at behaviors, and they adapt and stop the activity as needed. It will create rules on demand. It is very useful to have intrusion detection, intrusion prevention in your systems.

• Identity and Access Management (IAM): It is essential to identify who is the user, what the user can do on the systems, and then tracking the user’s access. This is performed with Identity and access management.  Identity and access management can be summarized below:
  • Authentication – Identification of the user (Who are you?)
  • Authorization – What can you access
  • Accounting – What have you done

Identity and access management gives us the ability to provide the right level of access to our users.  What is the right level of access?  The minimal amount of access necessary for people to perform their jobs.

• Encryption – Encryption is another component of security. Encryption is a means of securing data by encoding the data in a manner that it can only be read, or decrypted, by those with the correct key. Encryption processes translate data using an algorithm that makes the original information unreadable except for authorized users.  Encryption should be used for stored data (Encryption at rest) and during transition (Encryption in transit)

In conclusion security takes a layered approach.  Each layer works together to provide a cohesive security solution!